MultiLayer Switching (MLS) is Ethernet-based routing switch technology
by Cisco that provides Layer 3 (L3) switching in conjunction with existing
routers. This document covers only IP MLS. Internetwork Packet Exchange (IPX)
MLS and Multicast MLS are beyond the scope of this document.
There are no specific requirements for this document.
The information in this document is based on these software and
Supervisor Engine 4.1(1) or later
Catalyst 5000 family switch with Supervisor Engine II G or III G,
or Supervisor Engine III or III F with a NetFlow Feature Card (NFFC) or NFFC
If running MLS over ATM media, Catalyst 5000 family ATM module
software release 11.3(8)WA4(11) or later, or release 12.0(3c)W5(10) or
MLS is supported on all Catalyst 6500 and 6000 switches with
Supervisor Engine 1 or 1A using the MultiLayer Switch Feature Card (MSFC) or
MSFC2. MLS is enabled by default internally between the Supervisor module and
MSFC. No MLS configuration is required on the Supervisor Command Language
Interpreter (CLI) or the routing module. The Catalyst 6500 and 6000 do not
support external MLS (MLS-RP).
Note: The Catalyst 6500 and 6000 MSFC2 with PFC2 (Supervisor Engine
2) and Supervisor Engine 720 with MSFC3 perform L3 switching using Cisco
Express Forwarding (CEF) and do not require MLS internally. They do not support
external MLS (MLS-RP).
Route Switch Module (RSM), Route Switch Feature Card (RSFC), or
external Cisco 7500, 7200, 4700, 4500, or 3600 series router
Cisco IOS® Software Release 11.3(2)WA4(4) or later on the RSM, or
on Cisco 7500, 7200, 4700, and 4500 series routers
Cisco IOS Software Release 12.0(3c)W5(8a) or later on the
Cisco IOS Software Release 12.0(2) or later on Cisco 3600 series
Cisco IOS Software Release 12.0(3c)W5(8) or later on the MLS-RP, if
running MLS over ATM media
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
For more information on document conventions, refer to the
Technical Tips Conventions.
Traditional routers typically perform two main functions: route
processing calculation and packet switching based on a routing table (Media
Access Control [MAC] Address rewrite, redo checksum, Time To Live [TTL]
decrement, and so forth). The major difference between a router and an L3
switch is that packet switching in a router is done in software by
microprocessor-based engines, whereas packet switching in an L3 switch is done
in hardware by specific Application Specific Integrated Circuits
MLS requires these components:
MultiLayer Switching Engine (MLS-SE)—Responsible for packet switching
and rewrite functions in custom ASICs, and capable of identifying L3
MultiLayer Switching Route Processor (MLS-RP)—Informs the MLS-SE of
MLS configuration, and runs Routing Protocols (RPs) for route
MultiLayer Switching Protocol (MLSP)—Multicast Protocol messages sent
by the MLS-RP to inform the MLS-SE of the MAC address used by MLS-RP, routing
and access list changes, and so forth. The MLS-SE uses that information to
program the custom ASICs.
In this section, you are presented with the information to configure
the features described in this document.
Note: Use the
(registered customers only)
to obtain more information on the commands used in this
This document shows an IP MLS sample configuration using an RSM, as
shown in this network diagram:
In the diagram above, PC-A (A) wants to communicate with PC-B (B). They
are in different VLANs, so the traffic is routed via the RSM (the default
gateway for the PCs). The first packet is sent by PC-A and is routed by the RSM
towards PC-B. A shortcut (A � B) is created, and all subsequent packets will be
L3 switched by the MLS-SE, using the Supervisor Engine running on the
Note: The entry for a shortcut is unidirectional, so another entry will be
created when PC-B communicates with PC-A.
The examples below show the PC communication, the MLS shortcut, and
other MLS information.
PC-A# ping 220.127.116.11
!--- Pinging PC-B.
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echoes to 18.104.22.168, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
This output is generated by issuing the indicated commands on the
switch-MLS-SE (enable) show mls entry
Destination IP Source IP Prot DstPrt SrcPrt Destination Mac Vlan Port
--------------- --------------- ---- ------ ------ ----------------- ---- -----
22.214.171.124 126.96.36.199 ICMP - - 00-d0-58-43-9f-60 11 6/11
!--- As in the note above, there are two shortcuts A � B and B � A.
188.8.131.52 184.108.40.206 ICMP - - 00-00-0c-07-ac-01 12 6/12
switch-MLS-SE (enable) show mls
Multilayer switching enabled
!--- By default, MLS is enabled on the switch.
Multilayer switching aging time = 256 seconds
Multilayer switching fast aging time = 0 seconds, packet threshold = 0
Current flow mask is Destination flow
Configured flow mask is Destination flow
Total packets switched = 8
!--- Five echoes and five replies were sent; the first echo and reply went
!--- through the RSM, and subsequent echoes and replies were L3 switched,
!--- which gives us a total of eight L3 switched packets and two shortcuts.
Active shortcuts = 2
Netflow Data Export disabled
Total packets exported = 0
MLS-RP IP MLS-RP ID XTAG MLS-RP MAC-Vlans
---------------- ------------ ---- ------------------ --------------
220.127.116.11 00100b108800 2 00-10-0b-10-88-00 11-12
switch-MLS-SE (enable) show mls statistics rp
Total packets switched = 8
Active shortcuts = 2
Total packets exported= 0
MLS-RP IP MLS-RP ID packets bytes
--------------- ------------ ---------- ------------
18.104.22.168 00100b108800 8 944
RSM-MLS-RP# show mls rp
multilayer switching is globally enabled
mls id is 0010.0b10.8800
mls ip address 22.214.171.124
!--- IP address of MLS-RP.
mls flow mask is destination-ip
number of domains configured for mls 1
vlan domain name: sales
current flow mask: destination-ip
current sequence number: 3150688457
current/maximum retry count: 0/10
current domain state: no-change
current/next global purge: false/false
current/next purge count: 0/0
domain uptime: 1d00h
keepalive timer expires in 8 seconds
retry timer not running
change timer not running
1 management interface(s) currently defined:
vlan 11 on Vlan11
2 mac-vlan(s) configured for multi-layer switching:
!--- VLANs and interfaces participating in MLS.
router currently aware of following 1 switch(es):
switch id 0050.d133.2bff
!--- MAC address of the MLS-SE.
In this example, the RSM is used as the MLS-RP, with this software
IOS (tm) C5RSM Software (C5RSM-JSV-M), Version 11.3(9)WA4(12) RELEASE SOFTWARE
Copyright (c) 1986-1999 by Cisco Systems, Inc.
The software version on the switch is as follows:
WS-C5509 Software, Version McpSW: 4.5(2) NmpSW: 4.5(2)
Copyright (c) 1995-1999 by Cisco Systems, Inc.
On the switch, MLS is enabled by default. There is no need to specify
the MLS-RP IP address if it is the RSM. Conversely, for an external router
acting as the MLS-RP, you need to configure the switch with this IP address by
issuing this command, where IPaddress is the IP address of
the external MLS-RP:
set mls include IPaddress
Use this procedure to configure the router:
Enable MLS in global configuration mode by issuing the
mls rp ip command.
Router(config)# mls rp ip
Assign a Virtual Terminal Protocol (VTP) domain on one MLS
Router(config-if)# mls rp vtp-domain VTP_domain_name
Note: You can determine the VTP domain name
(VTP_domain_name in the example above) by issuing the
show vtp domain command on the switch.
Enable MLS on the interface so that it can participate in the
Router(config-if)# mls rp ip
Specify a router interface as a management interface, which allows
the MLS-SE and MLS-RP to communicate using a multicast protocol (MLSP).
Router(config-if)# mls rp management-interface
Repeat Steps 2 and 3 for all interfaces participating in MLS.
Note: Step 4 is needed only once on one interface for MLSP to allow
communication (MLS-RP �� MLS-SE).
The MLS-RP current configuration is as follows:
mls rp ip
ip address 126.96.36.199 255.255.255.0
mls rp vtp-domain sales
mls rp management-interface
mls rp ip
ip address 188.8.131.52 255.255.255.0
mls rp vtp-domain sales
mls rp ip
line con 0
line aux 0
line vty 0 4
For MLS to work, the MLS-SE must see the packet go to the MLS-RP and
come back out from the same MLS-RP to the same MLS-SE.
The MLS-SE never gets involved in any routing protocols or route
calculation. All routing protocols are run by the MLS-RP; for example, Open
Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP),
Interior Gateway Routing Protocol (IGRP), Routing Information Protocol (RIP),
and so forth.
The MLS-RP is not aware that the MLS-SE is forwarding some packets on
If the MLS-SE can not establish an L3 entry for any reason, it sends
the packet to the MLS-RP for normal routing; it does not drop the
Hot Standby Router Protocol (HSRP) and MLS can interoperate without
The mls and ip
cef on exact-route commands for the same DA give different
results. This is a normal behavior. The ip cef
command information is software-based. This is calculated from the routing
table and MAC address table. However, the mls cef
command is Hardware forwarding information which is based on software CEF and
can be changed by a load balancing algorithm.
The mls ip cef load-sharing simple command
gives a better load balance and avoids a new adjacency in the forwarding
engine. Also, the mls ip cef load-sharing full
command is a load balancing algorithm recommended for a single-stage CEF that
includes a load balancing algorithm for L4 ports. In order to achieve the best
CEF load balancing, alternate L3 and L4 hashing on access, distribution and
core routers, and use this type of configuration:
The mls ip cef load-sharing full command
can improve load balancing if there is a good mix of L4 ports in the network.
With the SRB2 image it can used in all adjacencies such as ip2ip, ip2tag,
tag2tag and tag2ip cases. However, with SRA it works only with ip2ip, ip2tag
Once you have configured MLS, you will see entries in the MLS cache
The MLS mechanism is relatively simple: PC-A sends the initial packet,
and the router rewrites the Layer 2 (L2) address and completes the L3
The enabler packet is returned and now the shortcut is complete;
subsequent packets for this flow will be L3
In summary, this is the process for all L3 switched packets:
The candidate packet is sent to the router.
The enabler packet is sent by the router.
Everything is configured to get the shortcut and start the L3
switching for this flow (A ��
Input access lists are supported with IP MLS beginning with Cisco IOS
Software Release 12.0(2) and later. Before release 12.0(2), input access lists
were not compatible with MLS.
Output access lists have always been supported.
Enabling IP accounting on an IP-MLS-enabled interface disables the IP
accounting functions on that interface.
IP MLS is disabled on an interface when the data encryption feature is
configured on the interface.